run this command with debugging prints. openssl s_client -connect 16.183.93.84:8444 -debug -msg
> Protocol : *TLSv1.2* > Cipher : 0000 it seems something broken as there is no Cipher Regards, Sanaullah On Wed, Aug 5, 2015 at 3:52 PM, Nikitha Benny <nikki.be...@gmail.com> wrote: > Hi Mark, Sanaullah, > > Thank you for your valuable suggestion. > > I just ran the openssl s_client scan, and it looks like the server side is > running fine on *TLSv1.2* Protocol. > > [root]## *openssl s_client -connect 16.183.93.84:8444 > <http://16.183.93.84:8444>* > CONNECTED(00000003) > - - - - - - - > - - - - - - - > - - - - - - - > - - - - - - - > > 9ICKPG6kxtrZMUUnb/RgYH0FEqAWxvAbj08ZtJXHoGyRAmFcLKUtQBw8wifqXjYP > dok1aLR6ZwG+iD+urs1SLFyUmENSywwZtrKpgorQR+LRtC77E3gyNSmJP+i02SpC > Dwt/kR6w4FmSD+k3+RJik2+SabfTbE1F2Iho/XLFyU0SwKEhi54pdYohuuEfFwnU > d/A4 > -----END CERTIFICATE----- > subject=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN= > IWFVM01284.hpswlabs.adapps.hp.com > issuer=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN= > IWFVM01284.hpswlabs.adapps.hp.com > --- > No client certificate CA names sent > --- > SSL handshake has read 1476 bytes and written 7 bytes > --- > New, (NONE), Cipher is (NONE) > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : *TLSv1.2* > Cipher : 0000 > Session-ID: > 55C1E8659A3AEABEA2844E153BB8BF666936B6EC38C5777B60202AF0712E5377 > Session-ID-ctx: > Master-Key: > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > Start Time: 1438771286 > Timeout : 300 (sec) > Verify return code: 18 (self signed certificate) > > So could it be an issue with the browser? > Since the browser is not FIPS compliant, could it be the reason for the > issue? > > > Regards, > Nikitha > > On Wed, Aug 5, 2015 at 3:24 PM, Sanaullah <sanaulla...@gmail.com> wrote: > > > Hi Nikhita, > > > > run the sslscan tool from the command line or openssl s_client in debug > > mode > > https://github.com/rbsec/sslscan > > > > Regards, > > Sanaullah > > > > On Wed, Aug 5, 2015 at 2:23 PM, Nikitha Benny <nikki.be...@gmail.com> > > wrote: > > > > > Hi Mark, > > > > > > My server is not on a public domain. > > > How can i verify the setup which is on a private network? > > > > > > Regards, > > > Nikitha > > > > > > On Wed, Aug 5, 2015 at 2:14 PM, Mark Thomas <ma...@apache.org> wrote: > > > > > > > On 05/08/2015 07:32, Nikitha Benny wrote: > > > > > Hi Mark, > > > > > > > > > > When I try to run Tomcat on the https server port: > > > > > > > > > > *https://<ip address>:8444/* > > > > > > > > > > It says as below: > > > > > ---------- > > > > > > > > > > *SSL connection error* > > > > > > > > > > *ERR_SSL_PROTOCOL_ERROR* > > > > > > > > > > *Unable to make a secure connection to the server. This may be a > > > problem > > > > > with the server, or it may be requiring a client authentication > > > > certificate > > > > > that you don't have* > > > > > *------------* > > > > > > > > That is the client side. What about server side logs? > > > > > > > > > We have set the client authentication to False, so it does not need > > any > > > > > client authorized certificate. > > > > > > > > I recommend you run https://www.ssllabs.com/ssltest/ against your > > > > server. That will tell you if you have a server side issue, a client > > > > side issue or simply a mismatch between the two. > > > > > > > > Mark > > > > > > > > > > > > > > Regards, > > > > > Nikitha > > > > > > > > > > On Wed, Aug 5, 2015 at 10:07 AM, Nikitha Benny < > > nikki.be...@gmail.com> > > > > > wrote: > > > > > > > > > >>> But still Tomcat does not run on the https port. > > > > >> > > > > >> As in, when we run Tomcat on the https server port it does not > > display > > > > the > > > > >> page. > > > > >> Where as it goes through fine on the http port. The url opens. > > > > >> > > > > >> > > > > >> > > > > >> On Tue, Aug 4, 2015 at 6:18 PM, Mark Thomas <ma...@apache.org> > > wrote: > > > > >> > > > > >>> On 04/08/2015 13:19, Nikitha Benny wrote: > > > > >>>> Hello Mark, > > > > >>>> > > > > >>>> Thanks for your valuable suggestion. > > > > >>>> > > > > >>>> We were successful in creating the pkcs12 keystore which picks > up > > > > >>> SHA256 as > > > > >>>> shown below: > > > > >>> > > > > >>> <snip/> > > > > >>> > > > > >>>> But still Tomcat does not run on the https port. > > > > >>> > > > > >>> Define "does not run". > > > > >>> > > > > >>>> Any clue as to why this happens? > > > > >>> > > > > >>> Based on the information provided so far, no. > > > > >>> > > > > >>>> The protocol I am using is* > > > > "org.apache.coyote.http11.Http11Protocol".* > > > > >>> > > > > >>> OK. That is the HTTP BIO connector. > > > > >>> > > > > >>>> Could it be because I am not using an APR connector protocol? > > > > >>> > > > > >>> No. > > > > >>> > > > > >>> Mark > > > > >>> > > > > >>> > > > > >>> > > --------------------------------------------------------------------- > > > > >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > > >>> For additional commands, e-mail: users-h...@tomcat.apache.org > > > > >>> > > > > >>> > > > > >> > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > > > > > > >
